freeradius and yubikeys

Frederic Van Espen frederic.ve at gmail.com
Fri May 9 12:14:26 CEST 2014


On Fri, May 9, 2014 at 9:11 AM, Arran Cudbard-Bell
<a.cudbardb at freeradius.org> wrote:
> Which you'd get if you rolled your own packages, and hey you'd actually be
> contributing something, because if you came across any defects, you might
> actually be able to provide useful debugging info.

I now have version 3.0.2 up and running with rlm_yubikey. For this
testing setup, I'm simply trying to validate to the public yubicloud
server using the validate mode.

When I was using the rlm_perl based module, I was able to enter a user
password, followed by the OTP token. The perl module extracted the OTP
and passed on the user password for further authentication (in my case
LDAP). Now when I use radtest like this:
root at obelix-clone:/usr/src# radtest fes
testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr 127.0.0.1
0 testing123
Sending Access-Request of id 85 from 0.0.0.0 port 56523 to 127.0.0.1 port 1812
User-Name = 'fes'
User-Password = 'testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr'
NAS-IP-Address = 172.16.35.65
NAS-Port = 0
Message-Authenticator = 0x00
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=85, length=20


Here's the output of the server:
rad_recv: Access-Request packet from host 127.0.0.1 port 56523, id=85,
length=121
User-Name = 'fes'
User-Password = 'testingpasswordccccccdbkebjrndreglhlcdnrrkvcneruvcnnffieibr'
NAS-IP-Address = 172.16.35.65
NAS-Port = 0
Message-Authenticator = 0xf4c430ea058e22ef07ef239f42b0270f
Fri May  9 11:52:20 2014 : Debug: (0) # Executing section authorize
from file /etc/freeradius/sites-enabled/default
Fri May  9 11:52:20 2014 : Debug: (0)   authorize {
Fri May  9 11:52:20 2014 : Debug: (0)   modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
Fri May  9 11:52:20 2014 : Debug: (0)   modsingle[authorize]: returned
from preprocess (rlm_preprocess) for request 0
Fri May  9 11:52:20 2014 : Debug: (0)   [preprocess] = ok
Fri May  9 11:52:20 2014 : Debug: (0)   modsingle[authorize]: calling
yubikey (rlm_yubikey) for request 0
Fri May  9 11:52:20 2014 : Debug: (0) yubikey : User-Password value is
not the correct length, expected 44, got 59
Fri May  9 11:52:20 2014 : Debug: (0)   modsingle[authorize]: returned
from yubikey (rlm_yubikey) for request 0
Fri May  9 11:52:20 2014 : Debug: (0)   [yubikey] = noop
Fri May  9 11:52:20 2014 : Debug: (0)    if (ok)
Fri May  9 11:52:20 2014 : Debug: (0)    if (ok)  -> FALSE

Do you know of any way to regain the behaviour of the rlm_perl based
module (user password AND OTP token for two factor authentication)?
Should I maybe handle that in the configuration?

Thanks,

Frederic


More information about the Freeradius-Users mailing list